cardosofelipe/pragma-stack
Template
1
0
Fork 1
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

chore(backend): extend Makefile with audit, validation, and security targets

Browse Source 
- Added `dep-audit`, `license-check`, `audit`, `validate-all`, and `check` targets for security and quality checks.
- Updated `.PHONY` to include new targets.
- Enhanced `help` command documentation with descriptions of the new commands.
- Updated `ARCHITECTURE.md`, `CLAUDE.md`, and `uv.lock` to reflect related changes. Upgraded dependencies where necessary.
This commit is contained in:
Felipe Cardoso
2026-03-01 12:03:34 +01:00
parent 68275b1dd3
commit 57e969ed67
11 changed files with 1805 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
backend/pyproject.toml
View File

@@ -20,43 +20,37 @@ dependencies = [
"uvicorn>=0.34.0",
"pydantic>=2.10.6",
"pydantic-settings>=2.2.1",
"python-multipart>=0.0.19",
"python-multipart>=0.0.22",
"fastapi-utils==0.8.0",
# Database
"sqlalchemy>=2.0.29",
"alembic>=1.14.1",
"psycopg2-binary>=2.9.9",
"asyncpg>=0.29.0",
"aiosqlite==0.21.0",
# Environment configuration
"python-dotenv>=1.0.1",
# API utilities
"email-validator>=2.1.0.post1",
"ujson>=5.9.0",
# CORS and security
"starlette>=0.40.0",
"starlette-csrf>=1.4.5",
"slowapi>=0.1.9",
# Utilities
"httpx>=0.27.0",
"tenacity>=8.2.3",
"pytz>=2024.1",
"pillow>=10.3.0",
"pillow>=12.1.1",
"apscheduler==3.11.0",
# Security and authentication (pinned for reproducibility)
"python-jose==3.4.0",
"passlib==1.7.4",
"bcrypt==4.2.1",
"cryptography==44.0.1",
"cryptography>=46.0.5",
# OAuth authentication
"authlib>=1.3.0",
"authlib>=1.6.6",
"urllib3>=2.6.3",
]
# Development dependencies
@@ -73,6 +67,14 @@ dev = [
# Development tools
"ruff>=0.8.0", # All-in-one: linting, formatting, import sorting
"pyright>=1.1.390", # Type checking
# Security auditing
"pip-audit>=2.7.0", # Dependency vulnerability scanning (PyPA/OSV)
"pip-licenses>=4.0.0", # License compliance checking
"detect-secrets>=1.5.0", # Hardcoded secrets detection
# Pre-commit hooks
"pre-commit>=4.0.0", # Git pre-commit hook framework
]
# E2E testing with real PostgreSQL (requires Docker)
@@ -131,6 +133,8 @@ select = [
"RUF", # Ruff-specific
"ASYNC", # flake8-async
"S", # flake8-bandit (security)
"G", # flake8-logging-format (logging best practices)
"T20", # flake8-print (no print statements in production code)
]
# Ignore specific rules
@@ -144,6 +148,8 @@ ignore = [
"S607", # Starting a process with a partial path (safe usage)
"B008", # FastAPI Depends() in function defaults (required by framework)
"B904", # Exception chaining (overly strict for FastAPI error handlers)
"G004", # f-string logging (TODO: migrate existing 300+ occurrences to lazy %)
"G201", # .exception() vs .error(exc_info=True) (TODO: migrate existing 64 occurrences)
]
# Allow autofix for all enabled rules
@@ -154,11 +160,13 @@ unfixable = []
[tool.ruff.lint.per-file-ignores]
"app/alembic/env.py" = ["E402", "F403", "F405"] # Alembic requires specific import order
"app/alembic/versions/*.py" = ["E402"] # Migration files have specific structure
"tests/**/*.py" = ["S101", "N806", "B017", "N817", "S110", "ASYNC251", "RUF043"] # pytest: asserts, CamelCase fixtures, blind exceptions, try-pass patterns, and async test helpers are intentional
"tests/**/*.py" = ["S101", "N806", "B017", "N817", "S110", "ASYNC251", "RUF043", "T20"] # pytest: asserts, CamelCase fixtures, blind exceptions, try-pass patterns, async test helpers, and print for debugging are intentional
"app/models/__init__.py" = ["F401"] # __init__ files re-export modules
"app/models/base.py" = ["F401"] # Re-exports Base for use by other models
"app/utils/test_utils.py" = ["N806"] # SQLAlchemy session factories use CamelCase convention
"app/main.py" = ["N806"] # Constants use UPPER_CASE convention
"app/init_db.py" = ["T20"] # CLI script uses print for user-facing output
"migrate.py" = ["T20"] # CLI script uses print for user-facing output
# ============================================================================
# Ruff Import Sorting (isort replacement)